Cyber Security and Privacy: Speaking the Language of the Business
Finding it difficult to engage with the business? Have you tried speaking a language they understand? We IT, security and privacy people have difficulty engaging the business in what we do, how we do it and why we do it and more importantly why we are needed.
Mind your language
Ever since I have been in security, and it’s been a long time, security and IT people engaging the business has been a challenge. It’s as if we speak a completely different language to each other. It’s like someone speaking French to someone who only understands English. Both are European languages and may have common words, but they are still different languages. So, when security or IT person talk about servers, endpoints, switches, and firewalls, SIEM, DLP to, say the Chief Marketing Officer, or the Chief People Officer, although they may have heard of firewalls and servers but you may as will be speaking in C++ or Python to them. It’s a language they just don’t understand or can relate to.
Recently, I attended a security meet-up and the same topic came up at the panel discussion, made-up of senior privacy and security people. They were lamenting about the difficulty of engaging the business on cybersecurity and getting the attention cybersecurity deserved. They were right of course; it’s been a perennial problem. You would, therefore, think with cybersecurity being breaking news item every week and with supporting regulations such as the #GDPR, #CCPA and myriad of other regulations from around the world this would not be such a big issue. #Business and top leadership should be permanently engaged. However, it apparently is. So, what is the problem?
A different paradigm
The panel moved on the next topic which was assets and started defining assets as switches, servers, and endpoints. You know, the stuff IT people see as assets. I could not help but intervene and ask why security leaders were speaking about assets in terms of hardware and software? And is this not one of the main issues that stops us from having those important conversations with the business leaders?
These may well be assets for the IT people, service desk, IT service management, procurement or even the CIO, etc. and need to be accounted for. However, they mean nothing to the Chief Marketing Officer (CMO), or the Chief People Officer (CPO). Their asset is the data and people they rely on for running their functions. For the CMO, it is the marketing data in CRM or a database. For the CPO, it is the employee data they hold in their HR systems. Both want to be assured that their data is secure and available and meets regulatory requirements. It is the data that is their assets. And should we not be speaking to the business in terms of what they understand and want to hear and not about servers, endpoints, switches etc? They probably have never seen a server or a switch and why should they. It is IT’s business.
To them, it does not matter whether their data is stored in a server or in the cloud, as long as it is available when they need it that is all they should care about. Therefore, we should be seeing their perspective and speaking to them in terms of data, supporting their critical processes and managing business risks. The language they understand. Unfortunately, we don’t, we still speak as if we are speaking to a colleague and not the client. And hence we lose their interest as soon as we start talking about technical items. We may as will be speaking in an alien language. Businesses just want to get on with, err, running the business not worrying about IT. They don’t worry about electricity, gas or the lifts working? Of course not, they just expect things to work. Then why must they understand how a firewall works?
Earning a place at the table
Yes, it is a two-way street. Security people cannot secure data without help from the business as there are data touch points that expose data to non-technical people. We need businesses to help in educating and empowering them with knowledge and tools. At all times mindful that IT is not the business it is only an enabler, a tool just like security. Security should give them the confidence to do more, take business risks, innovate, knowing fully knowing what they do will be secure. It is therefore vital that we understand the audience, their perspective, concerns and calibrate our languages appropriately. Speaking about what a disruption to the database could mean to their marketing campaign or their new year’s hiring campaign. How if the data was not accurate or secure it could open the business to regulatory risks and reputational damage which could mean their marketing budgets would be blown. And we must always come with a solution for them. The business does not want to hear of problems and what they can or can’t do but will look to you for a solution too. This is why we are there right? One of my favourite sayings is: “don’t just cry fire but also bring a bucket full of water to put the fire out.
When we start speaking a language the business leaders understand then we will get invited to the conversations and the top table.
---------------------------
Moyn Uddin the Head of Security and Privacy at CYBER COUNSEL. Please get in touch if you need help with engaging the business, compliance with the #GDPR and all aspects of cybersecurity.
https://www.dhirubhai.net/company/cybercounseluk/
Phone: 07960 387876
Engagement #business #cybersecurity #Board #CxO, leadership
COO, SiETECH UK. Identity Management, AI/ML, Privacy, Digital Transformation, Operations.
5 年Moyn. Good article. I have always sat on that bridge between the business and IT providing that liaison role and although the conversation content has changed significantly in 25 years, the translation role still remains and will continue to evolve.
The Data Diva | Data Privacy & Emerging Technologies Advisor | Technologist | Keynote Speaker | Helping Companies Make Data Privacy and Business Advantage | Advisor | Futurist | #1 Data Privacy Podcast Host | Polymath
5 年Michael F D Anaya this is a great article and great advice for anyone.
When my daughter's not dumping a tree load of snow on my head, my passion is helping business leaders make sense of cyber.
5 年Another challenge is applying a % likelyhood and estimated cost to that information assets risk. Makes it possible to place cyber risk into the general risk discussion in the boardroom to prioritise infosec investment.
KINDNESS INFLUENCER | EXECUTIVE PRODUCER - THE KINDNESS FACTOR | KEYNOTE SPEAKER| KINDNESS WORLDWIDE AMBASSADOR | AUTHOR | KINDNESS HABIT NEWSLETTER | LET'S CONNECT TODAY! | SCROLL DOWN TO FOLLOW MY POSTS.
5 年Insightful article. I agree that it is vital to understand and speak the C-Suite Language.? I would also argue, however, that in the digital times we live in, as organizations become digital organizations providing whatever service they may be providing, C-Suite leadership is going to have to go through somewhat of a paradigm shift and become more cybersecurity savvy if they want to survive.? I also believe that with the continued expansion of the digital landscape, the IT infrastructure and cybersecurity components that protect the assets (i.e. the data) that the C-Suite care about, along with the people who configure, integrate and maintain those components, are going to have to be seen as core business functions rather than just business enablers. Without them, no matter how great the business strategy, there would be no business.?
Helping global data protection leaders turn digital complexity into clear, actionable strategies
5 年A different take on a similar topic, Moyn, I also suggest some other approaches to engaging with executives in an article I wrote about a month ago: https://www.dhirubhai.net/pulse/getting-executive-buy-in-your-data-protection-program-tim/